Given the high security of financial transaction systems, financial transaction terminals, such as automated teller machines (“ATMs”) and point-of-sale (“POS”) devices, often use cryptographic techniques in order to protect sensitive transaction data transmitted through a financial transaction system. Traditionally, each financial transaction terminal in a financial transaction system is assigned a key. The financial transaction terminals use the keys to encrypt transaction data before transmitting the transaction data to another device. Because the transaction data is encrypted, eavesdroppers intercepting the transmission cannot obtain the actual transaction data, and therefore, cannot use the data illegally.
In the past, keys were manually distributed to financial transaction terminals using a security concept referred to as “dual control.” The security concept of dual control involves having multiple people (e.g., two people) physically visit a site of a financial transaction terminal (e.g., an ATM) and load separate components of a key into the financial transaction terminal. Although multiple people are involved in issuing the key, a single person does not know the entire key, and therefore, the security and secrecy of the key is increased.
In recent years, the American National Standards Institute (“ANSI”) suggested that financial transaction terminals each be issued a unique key in order to increase the security of financial transaction systems. By assigning each financial transaction terminal a unique key, one comprised key can only be used to exploit a single financial transaction terminal and does not provide access to every financial transaction terminal included in a financial transaction system. In addition, ANSI suggested that each financial transaction terminal use a longer (i.e., harder to break by brute force) key, such as a triple data encryption standard (“DES”) key that includes 112 bits.
In order to adhere to suggestions of ANSI, new keys need to be loaded to financial transaction terminals. However, re-keying multiple financial transaction terminals of a financial transaction system using a manual key distribution process can be costly and time consuming. In addition, using a human-intensive process can be prone to errors and can decrease the security of the distributed keys. For example, if the multiple individuals involved in a key distribution process pool their individual knowledge of a key, an entire key can be obtained illegally.